Closed ekse closed 10 years ago
The value is being assigned in r_bin_dwarf_parse_abbrev_raw, it does not seem to be checked against valid tag values.
1378 r_bin_dwarf_init_abbrev_decl(tmpdecl);
1379
1380 tmpdecl->code = tmp;
1381 buf = r_uleb128(buf, &tmp);
1382 tmpdecl->tag = tmp;
fixed. thanks On 26 Sep 2014, at 03:26, ekse notifications@github.com wrote:
The value is being assigned in r_bin_dwarf_parse_abbrev_raw, it does not seem to be checked against valid tag values.
1378 r_bin_dwarf_init_abbrev_decl(tmpdecl); 1379 1380 tmpdecl->code = tmp; 1381 buf = r_uleb128(buf, &tmp); 1382 tmpdecl->tag = tmp; — Reply to this email directly or view it on GitHub.
Hi,
I did a bit of fuzzing on rabin2 with melkor, rabin2 will crash if it tries to print an invalid tag value in dwarf header.
Test executable https://github.com/ekse/code/raw/master/sec/radare2-fuzzing/rabin2-crash-0705.elf
Test build : commit 2b0009b858bac997cef9510993e888f3a048438d
How to reproduce the crash:
Crash location :
0xfffdbddc is an invalid offset in dwarf_tag_name_encodings which causes the crash.
Backtrace
I didn't submit a patch as I am not familiar with the project, I don't know you prefer to fix issue, either by ensuring that the RBinDwarfAbbrevDecl struct is not assigned an invalid tag value or to check in dump_r_bin_dwarf_debug_abbrev that the value is valid (I think option #1 would be better).